A user wrote in to let me know that Bad Behavior 2 has finally been ported to Drupal.
The work is pretty early and needs some spit and polish, but you can get the early results from the Drupal site.
About a year ago I started a project called the Bad Behavior Blackhole. The purpose of the blackhole was to list known sources of blog spam and to publish that data for the use of bloggers who wanted to make use of it to prevent spam.
Due to lack of time, I put the project on hold indefinitely. But I’ve been slowly working on it, off and on, over the last few months. Mostly off, again, due to lack of time. As I’ve said before, I have to spend most of my time on things that pay the bills, and historically, fighting spam hasn’t really been one of them, unfortunately.
With Bad Behavior 2.0.6 this week, I released a new feature which checks POST requests against third-party spam blacklists. This has proven quite effective in stopping a lot of the spam that wasn’t otherwise caught, but it does have a few drawbacks.
First, since I don’t maintain any of the lists, it’s difficult for me to help anyone get removed from the lists, other than providing links back to the blacklist providers. I’ve seen a few positive hits which I don’t want to be blocking, such as dynamic IP addresses which once sent a spam two or three years ago and have been blacklisted ever since. (The list involved, list.dsbl.org, will be dropped in the next release, and you can edit the code and remove it yourself if you’re having problems with it.)
I envision the Bad Behavior Blackhole as much more responsive than other blacklists, as the users likely to be affected aren’t going to really know what’s going on, or why they should be blocked because somebody sent a spam back in 2003.
Specifically, Bad Behavior Blackhole will have the following features:
- Immediate removal for anyone upon request, the first time. Removal will be delayed for further requests from the same IP, to prevent spammers from removing themselves and sending more spam.
- Blacklisting only for a specific period of time, and only while spam is actually flowing from a given IP address. Once the spam stops, the address will be delisted automatically after a short time. If it restarts, then the address is relisted.
- List sources which are actually sending spam, as well as sources which are demonstrated to have compromised security, such as open proxy servers and Trojaned machines, before they can send spam.
- Usable from any platform. This covers Movable Type, WordPress, and just about anything else you can think of. Adding support for realtime blackhole lists to any given program is at most a 15-minute hack.
It needs about a day and a half worth of work to finish up and do the initial rollout. (Didn’t you notice the link for it was dead?) But as I said before, I’ve been delaying it due to lack of time. And this is where you come in. I work on Bad Behavior and related projects primarily as I have time, and I can afford to devote more time to it when more people contribute to its development.
Over the past couple of months I’ve been quietly setting up a honeypot blog, and collecting other sources of data on blog spammers, to feed the realtime blackhole list. The data is coming in. At this point it just needs to be connected to the Bad Behavior Blackhole, tested and released. Once this is done we’ll have a much more responsive list which actually keeps spammers out, keeps blocking of legitimate users to an absolute minimum, and provides an easy removal method for the rare person who might be blocked.
If you’d like to see this project completed sooner than later, contribute to further development of the Bad Behavior Blackhole.
And again, thank you all for your continued support in the war on web spam. Bad Behavior could not continue without it.
I received a report by email this morning from a user who successfully installed Bad Behavior on her GoDaddy-hosted blogs.
This is significant because for a very long time GoDaddy web hosting users could not run Bad Behavior, due to an apparently misconfigured reverse proxy which GoDaddy was running. The problem went unresolved for well over a year.
But last month I received an email from someone in GoDaddy’s security department who said he would look into the matter. It seems someone did something, as it appears people are able to use Bad Behavior on GoDaddy shared hosting now.
In my own testing against GoDaddy shared hosting sites, it appears that the header mangling which the reverse proxy was doing is no longer taking place, so Bad Behavior should run fine on GoDaddy shared hosting sites now.
If you use GoDaddy shared hosting, but have not been using Bad Behavior because it blocked everything when installed, please try it again and report back. Thank you!
I’ve rebuilt the Bad Behavior 2.0.6 package due to an error which causes users to be blocked in rare circumstances.
If you receive a user complaint that they were blocked, and when they click the “fix this yourself” link and are told they have a “Dynamic IP address,” or that they are not listed on any blacklists, then you are affected by this problem.
This problem occurs when the Web server has a
search domain listed in the
/etc/resolv.conf file, and the listed domain uses wildcard DNS. This is a very uncommon configuration, as the vast majority of sites either do not list any search domains, or list a domain which doesn’t use wildcard DNS.
Bad Behavior has been altered to bypass the search domain if it is listed, thereby solving the problem. Simply re-download Bad Behavior 2.0.6 to obtain the fix.
Bad Behavior 2.0.6 has been released.
About four weeks ago I provided a pre-release copy of Bad Behavior 2.0.6 to a select group of testers in order to evaluate a new method of blocking spam, and it’s proved quite successful at blocking a large chunk of spam. On my testbed it blocked 953 spams and missed about 50. So I expect it to cut the spam flow even further.
I said last month I wasn’t generally releasing it immediately so that I could determine whether it blocked any legitimate users. It did indeed block two people that I know of: one was resolved in moments through the fix-it-yourself link, and the other was myself, while using a Wi-Fi access point. I determined that someone had recently sent spam through the same AP, causing the blockage. It had also caught a third person, before the pre-release, whose computer was actually sending spam at the time.
So I’m releasing 2.0.6 generally. If you received a pre-release copy, this copy is unchanged, and you don’t need to do anything.
New in this release (since 2.0.5):
- A new blocking method using realtime blackhole lists is being used to determine if a post originates from a known spam source, open proxy, etc. GET requests are not screened. Links are provided to blackhole list removal procedures through the fix it yourself link.
As always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit means I have more spare time to devote to its development.